New Research Reveals Google Wallet Unsafe

A quick, simple technique can extract the Google Wallet PIN from any phone that's been rooted. New information reveals that even if you prudently refrain from rooting your phone, a thief could root it ex post facto and steal your Google Wallet funds.

It's been a bad week for Google. First, researcher Joshua Rubin from zvelo revealed a quick, simple brute force technique to extract the Google Wallet PIN from a rooted phone. Then a blog called The Smartphone Champ revealed that even if the phone isn't rooted, a thief could gain access to funds in the Google Wallet prepaid card by wiping Google Wallet settings and running setup again. Google responded by suspending new prepaid cards, but pointed out that rooting a phone capable of running Google Wallet will necessarily wipe all its data. Today Rubin demonstrated that it is in fact possible to achieve root privilege on such a phone without wiping the data. Sorry, Google!

I caught a subtle whiff of this possibility in a weekend post on the Google Commerce Blog by Osama Bedier, Vice President, Google Wallet and Payments. This post stated that "in most cases, rooting your phone will cause your Google Wallet data to be automatically wiped from the device." That's a slight step back from Google's earlier contention that there is no way to root a Wallet-compatible phone without wiping the data.

Escalation of PrivilegeRubin's latest post includes full details but remains understandable for any interested user. To start, he points out that there are different ways to attain root privilege on a smartphone. The most common technique involves unlocking the bootloader, but on the Nexus line of phones, unlocking the bootloader automatically wipes all data.

However, Rubin's Google Wallet Cracker doesn't require literally unlocking the bootloader. All it needs to do is break down the sandbox walls that keep one application from accessing another's data by elevating the current user's privilege level.

Rubin's post links to specific vulnerabilities that are present in the current operating system used by Nexus phones, along with a proof-of-concept hack based on one such vulnerability. He tested the exploit code and verified that it gave the current user root privilege without wiping the Google Wallet PIN or any other data. And, as he points out, it's quite likely that even after this vulnerability gets patched, others will surface.

What Does It Mean?In response to the initial warning, Google (and Rubin) advised users to never, ever run Google Wallet on a rooted phone. This new evidence shows that even if you don't root your phone, a thief could root it ex post facto and steal your funds.

Google and Rubin also both advised users to employ a screen lock of some kind. A simple PIN may not be sufficient. At last summer's Black Hat conference, security expert Dino Dai Zovi offered a list of estimated times to guess different levels of PIN codes. The time to crack a 4-digit numeric pin? Eighteen minutes. Fortunately, as Rubin pointed out, after each handful of bad guesses Android inserts a delay before allowing any more.

There are other ways to gain access to a phone even when a screen lock is active. Rubin explained to me exactly how USB Debugging could be used to get shell access to the device. I'm not going print the details here—no need to make it easy for the bad guys—but trust me; you must turn off USB Debugging.

It's also true that if you inadvertently install a malicious app that includes a privilege escalation exploit, your PIN may have been cracked already. Fortunately that PIN does absolutely no good unless the malware coder somehow connects with the thief who has physical possession of the phone.

Musing on what it would take to gain access through varying levels of security, Rubin concluded that a full password lock and full encryption should be sufficient to keep out the toughest hacker.

Convenience LostGoogle touts Google Wallet as much more convenient than conventional credit cards. Just wave your phone near the PayPass reader and presto! You've paid the bill. Unfortunately, protection powerful enough to block any possibility of PIN cracking cuts down the convenience factor.

Rubin concludes that power users will continue to root their devices and software vulnerabilities aren't going away. Kernel based privilege isolation isn't secure enough to protect "extremely sensitive data like that contained in Google Wallet." Probably Google's best way out of this dilemma will involve navigating some thorny legal issues that currently prevent them from storing the PIN inside the inaccessible Secure Element that holds data like the full credit card number. Let's hope they succeed.

Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted by readers. By 1990, he had become PC Magazine's technical editor, and a coast-to-coast telecommuter. His "User to User" column supplied readers with tips...
More »